Manually Validating Vulnerabilities from a Vulnerability Scan

I just wanted to get your input in how you manually validate vulnerabilities from a vulnerability scan or a vulnerability release from a vendor. Say you received a report with a high vulnerability, the vulnerability scanner used a version check of the header. If there are no public exploits for this vulnerability, how would you check it if you do not have access to the server internally? An example would be CVE-2019-13917, I cant seem to find a public exploit to throw at the server to validate the vulnerability, and my last resource would be to send it to the IT team responsible. Is this the right approach? – if there are no public exploits, the only other way is to create yourself an exploit by reverse engineering the patch from the vendor…

I have been given a report from Shodan Vulnerability scanner, which seems to do a version check and need to validate if the vulnerabilities are actually an issue.

I know that version checking is prone to a large amount of false positives, is there anyway around this?

Regards
Brad

The Error validating credentials due to invalid username or password comes up when trying to upload files to SharePoint by a python script

I am trying to upload files to a SharePoint folder structure which has been already created, I have used two files for this
Config_template:

config = dict()
config('sp_user') = 'abs@xyz.com'
config('sp_password') = 'pass@123'
config('sp_base_path') = 'https://xyz.sharepoint.com'
config('sp_site_name') = '/sites/bootromandhsesecurity/Shared%20Documents/Forms/AllItems.aspx?originalPath=0d66ed181f1&id=%2Fsites%2Fbootromandhsesecurity%2FShared%20Documents%2F%2FSprint3'
config('sp_doc_library') = 'Sprint3'

The next file is sharepoint_upload:

import requests
from shareplum import Office365
from .config_template import config
def up():
    # get data from configuration
    username = config('sp_user')
    password = config('sp_password')
    site_name = config('sp_site_name')
    base_path = config('sp_base_path')
    doc_library = config('sp_doc_library')

    file_name = "TestCaseDatabase\Sprint3_Test_Report.xlsx"

    # Obtain auth cookie
    authcookie = Office365(base_path, username=username, password=password).GetCookies()
    session = requests.Session()
    session.cookies = authcookie
    session.headers.update({'user-agent': 'python_bite/v1'})
    session.headers.update({'accept': 'application/json;odata=verbose'})

   
    session.headers.update({'X-RequestDigest': 'FormDigestValue'})
    response = session.post( url=base_path + "/sites/" + site_name + "/_api/web/GetFolderByServerRelativeUrl('" + doc_library + "')/Files/add(url='a.txt',overwrite=true)",
                            data="")
    session.headers.update({'X-RequestDigest': response.headers('X-RequestDigest')})

    # perform the actual upload
    with open( file_name, 'rb') as file_input:
        try: 
            response = session.post( 
                url=base_path + "/sites/" + site_name + "/_api/web/GetFolderByServerRelativeUrl('" + doc_library + "')/Files/add(url='" 
                + file_name + "',overwrite=true)",
                data=file_input)
        except Exception as err: 
            print("Some error occurred: " + str(err))

The username and password have been changed here for security reasons, but when the correct details have been given,

Error authenticating against Office 365. Error from Office 365:’, ‘AADSTS50126: Error validating credentials due to invalid username or password

The above error occurs. Where am I going wrong?

P.S – I have been using Microsoft authenticator for logging into the SharePoint folder, where I need to approve my login on my mobile, is that causing the problem?

gui design – In a validator app, how to keep focus on the content you’re validating?

I’ve got a specialized text validation application where the user can either type, copy/paste the text or load file in – then hit Validate for the screen to transition to the results area. Here’s a demo. If you click on an error, a little window opens up at the bottom which shows you the part of the example where the error is.

In user testing, the fact that focus is being taken away from the content being validated to the results page was shown to be a problem: they’d like the focus to stay on the text and the errors to be just complementary to it, in order to have a fast validate-edit-validate feedback loop.

What’s the best way to redesign the experience here to keep the focus on the text?

My initial thoughts are to split the window halfway so the errors are shown from the bottom, and the text itself never goes anywhere. Is there a better approach?

linux – DKIM Validating Signature, Result = Fail Details: Body Has Been Altered

I have 2 mail server,
Main Mail Server = Microsoft Exchange Server
Secondary Mail Server = Ubuntu Postfix only as SMTP Relay.
The Exchange Server is using Ubuntu Postfix SMTP as Smarthost,
And the problem is Exchange Server need to use thirdparty software to integrate with DKIM.
I used DKIM Exchange(https://github.com/Pro/dkim-exchange) as the third party software,
By following this tutorial https://colinwilson.uk/2017/07/19/setting-up-dkim-for-exchange-server/
But got a problem, when checking DKIM Signature on https://dkimvalidator.com/
I got an Error like this:

DKIM Information:
DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=default;
c=relaxed/relaxed; t=1619877233; h=from:subject:to:date:message-id;
bh=iOObCKJdXN6HiMEEGHi3hTEvUHxZe5CdQrWy7paoGeo=;
b=KHjroY6llEGwgpFXQwvTggVvN8pWkRarZfbxPMWZ3J6axLy7fngoJ7VXA/AJB9sc/N+UasENrvy
nflG8WgnKgN12Bh6VHC0xt/2M7SjtOI9CknSg3Bi0EZsYRqD5JJZqBWobNLV51sYbfT0W7KjdOkQX
i5u1sWfV4qskQKyIl48L3M9ktKyYEpZqlkr/a2iEJfVr+eMVrR8VnCbse/ccpZwEMHA5VtdWGh200
F60MITxLG0lYwZQ//RcOOjX9qTEKDxRdbRnFbvagGO7Co39bSyPw9Co6S7K+BI0tVO8Df9uV2H5ee
NqKQJQDZ50VdZLi8wQwSWCiT7gfukJUUsA1g==

Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: example.com s= Selector: default
q= Protocol:
bh= iOObCKJdXN6HiMEEGHi3hTEvUHxZe5CdQrWy7paoGeo=
h= Signed Headers: from:subject:to:date:message-id
b= Data: KHjroY6llEGwgpFXQwvTggVvN8pWkRarZfbxPMWZ3J6axLy7fngoJ7VXA/AJB9sc/N+UasENrvy
nflG8WgnKgN12Bh6VHC0xt/2M7SjtOI9CknSg3Bi0EZsYRqD5JJZqBWobNLV51sYbfT0W7KjdOkQX
i5u1sWfV4qskQKyIl48L3M9ktKyYEpZqlkr/a2iEJfVr+eMVrR8VnCbse/ccpZwEMHA5VtdWGh200
F60MITxLG0lYwZQ//RcOOjX9qTEKDxRdbRnFbvagGO7Co39bSyPw9Co6S7K+BI0tVO8Df9uV2H5ee
NqKQJQDZ50VdZLi8wQwSWCiT7gfukJUUsA1g==

Public Key DNS Lookup
Building DNS Query for default._domainkey.example.com
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq4UV1gOKAQ+Gr9BmFSrGZbo3ll16g8itrrEwBckyGRYD2g+DKINm5fUYNUxn2bILpeh3AT2gJnbGydQNc7p02Hia1H/jnKDbvTfvnmcUQGHLQGYsnSgIJM3f+B5qrpyjfNufyrSr4L4YCBUr1o0KoN4p2p97iOr+MQiHY4sYIDPAcsaQ4zpAcxDmmSbtXbbBdYileN7Anpkm9ODJtNNNZzxH68jFI7ioVjInX8G1mWLKP4sxPoTa86R5C/zu97a0agXPusrCd1bWGKPxFhCUvJpFzdICUdLsVo9mEwbB12kpGrplYPgOb6B1YKn3iu/XBezv/8EIjG/N7+hAEz9C1wIDAQAB

Validating Signature
Result = fail
Details: body has been altered

Anyone have the solution for this? The DKIM Record is Valid but DKIM Signature is failing…

Error validating a transaction with blockcypher

I’ve created a testnet transaction using blockcypher API (https://api.blockcypher.com/v1/btc/test3/txs/new) and then signed the transaction using the signer (go lang). And then sent signed transaction to blockcypher (https://api.blockcypher.com/v1/btc/test3/txs/send)

But it’s returning error:

Error validating generated transaction: Error running script for input 0 referencing e41a5ceca53f2cd6076f3a100137d6182d0bd567d91e508f4171712b9c67f429 at 0: Script was NOT verified successfully.

The response I’m receiving:

{
  "errors": (
    {
      "error": "Error validating generated transaction: Error running script for input 0 referencing e41a5ceca53f2cd6076f3a100137d6182d0bd567d91e508f4171712b9c67f429 at 0: Script was NOT verified successfully."
    }
  ),
  "tx": {
    "block_height": -1,
    "block_index": -1,
    "hash": "c514900d8ed184c37bd795c30f24d56508c40ca5f65c2bf8d724162fd8976353",
    "addresses": (
      "tb1qy0jm6vmy2vmndpzzj34z6h6xnelta98d0ukf6s",
      "tb1qwchaysp9wfukq54yee8uye20f2c5zkpl97elvx"
    ),
    "total": 3996400,
    "fees": 3600,
    "size": 222,
    "vsize": 141,
    "preference": "low",
    "relayed_by": "2a01:4f8:192:6027::2",
    "received": "2021-05-01T09:34:02.926591638Z",
    "ver": 1,
    "double_spend": false,
    "vin_sz": 1,
    "vout_sz": 2,
    "confirmations": 0,
    "inputs": (
      {
        "prev_hash": "e41a5ceca53f2cd6076f3a100137d6182d0bd567d91e508f4171712b9c67f429",
        "output_index": 0,
        "output_value": 4000000,
        "sequence": 4294967295,
        "addresses": (
          "tb1qwchaysp9wfukq54yee8uye20f2c5zkpl97elvx"
        ),
        "script_type": "pay-to-witness-pubkey-hash",
        "age": 1973087,
        "witness": (
          "3045022100a4a53cc0eaae807e5c3500af2132a8e575823fc0ff7ceb92de94b739920810ba0220339aa4128967654977b6afb8be9a8897c5e822e2cb5659fe987c106bec44101e",
          "03f2cfd459014d4f19f36e28dcae329ca4f6b263d4d7c13ca7317a75b1a130f0f6"
        )
      }
    ),
    "outputs": (
      {
        "value": 2000000,
        "script": "001423e5bd33645337368442946a2d5f469e7ebe94ed",
        "addresses": (
          "tb1qy0jm6vmy2vmndpzzj34z6h6xnelta98d0ukf6s"
        ),
        "script_type": "pay-to-witness-pubkey-hash"
      },
      {
        "value": 1996400,
        "script": "0014762fd2402572796052a4ce4fc2654f4ab141583f",
        "addresses": (
          "tb1qwchaysp9wfukq54yee8uye20f2c5zkpl97elvx"
        ),
        "script_type": "pay-to-witness-pubkey-hash"
      }
    )
  },
  "tosign": (
    ""
  )
}

Any help would be greatly appreciated. Thank you all.

Validating REST API requests against previous requests as part of a larger process

I am building a REST API for warehouse inventory picking.

I have a very shallow understanding of REST, so to me that just == stateless and try to make your URL mappings nouns instead of verbs.

The picking process looks like this:

  1. Scan QR on a the shipping instruction sheet which contains an order number along with all SKU’s and their quantities. This could be
    thought of as an aggregate for the entire picking transaction, kicking
    off the order as “in progress”.

  2. Iterate the following steps until all SKUs are picked

    2.a: Scan QR on the physical location being picked from

    2.b: Scan QR on the inventory container at the location

    2.c: Scan QR on the customer label that will be attached to the inventory container

  3. Scan QR on the physical delivery location and drop off the order

Each one of these steps has it’s own API endpoint and needs to validate things like

  • Does the order number match the order this user is currently picking?
  • Is this location allowed to be picked from for this order number?
  • Is this a valid inventory container for the order? (SKU not already picked, SKU actually on the order, correct quantity, that sort of thing)
  • Does the SKU on the customer label match the SKU that was previously scanned on the inventory container?

I don’t understand how I could create a stateless REST API that meets these requirements. Without state, how do I validate the integrity of every request to make sure the order is being picked correctly?

I had the thought that maybe I’ll just have the client pass in the current state of the order on every request (giving me all the data I need to validate a request) but then that assumes I actually trust the client to maintain the correct state, which of course is a bad idea.

Or maybe I could maintain the state of the order on a backend database, and have the client pass me the order number on every request to look it up? This just seems like state with extra steps.

Or maybe I need to move past the idea that this HAS to be a stateless system and break the rules of REST?

Thanks in advance for any advice!

What’s the most elegant way of validating incoming jsons to AWS Kinesis firehose against a schema?

so my ingestion data comes from IOT -> Kinesis firehose -> s3, the thing is – i want to throw away jsons that are not complied with my schema.

I have to throw them before it reaches S3, as i’m using a glue crawler to build a schema off it, and it can cause issues if the jsons are not similar later in the queries and processing.

One way to do it is using transformation lambda, with maximum buffer of 3MB (which seems wasteful – as our data rate is huge – it will cause large number of lambda invocations).

Even so – i don’t want to hard-code the schema into the lambda.

So – if there’s no other decent option but a transformation lambda – where should i keep the schema? should i use AWS AppConfig? then request that schema and validate the json against it?

There’s also Glue Schema registry – but i’m not sure if it can be easily integrated into just a lambda.

Any other ideas would be appriciated.

customs and immigration – (Type D visa holder) How much proof is required when validating

I am a non-eu citizen however I hold a German residence permit (type D).

I am entitled to travel to other Schengen countries for 90 days out of every 180 days.

My question is this:

If was to be in a Schengen country other than Germany and an immigration officer asked me to prove that I had been there less than 90 days, how much proof would I need to provide to be given clearance? Would a train ticket showing my date of arrival be enough? Would I also have to show bank transactions proving that I was in Germany prior to the date on the train ticket?

I am just wondering how thorough they are when it comes to validating the evidence of location provided by a traveller. It seems as though it would be pretty easy to buy a train ticket but not actually take the train and then use it as (fake) evidence of your whereabouts. Am I wrong?

Also, when is this check likely to occur? When I fly home to my country after my residence permit expires, are they likely to pull me up at the airport and look over how many days I spent outside of Germany in other Schengen countries? Or is it only gonna happen if I get unlucky at a border crossing?

authentication – Request time out for validating and showing information of the token

I could not understand what the difference of X-Auth-Token and X-Subject-Token is. I read in the documentation that “X-Auth-Token is a valid authentication token for an administrative user” and I think X-Subject-Token is the authentication token which we want to validate. However, I wonder whether they both generated in the same way or not. Is it correct to say that both of them are token and the only things that differ is we know X-Auth-Token is validated and we do not know X-Subject-Token is validated or not?
I would like to validate my token. I generated two token via “Token authentication with unscoped authorization” openstack api. Then, I sent a request to “validate and show information for token” openstack api. I passed nothing as a data, I set header like below:

'Content-Type: application/json',
'X-Auth-Token: first_token',
'X-Subject-Token: second_token'

It says the request you have made requires authentication. In the case that I pass data like below, I get request time out error.

"auth" : {
        "identity" : {
            "methods" : ["token"],
            "token" => {
                "id" : first_token
            }
        }
    }

What should I do?